Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:34
Behavioral task
behavioral1
Sample
c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe
-
Size
333KB
-
MD5
85f89cfad3936cb64bd41ed7a2f57786
-
SHA1
c41236ac2431ae9e3656b0473fe438eb265bac65
-
SHA256
c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83
-
SHA512
75f082afc242e8489d3a8273b52ff080eccbff8ff5875ad228cabcce4f110aebf9bf3aac93f1b1bdcdd4cd5007801541275f3ad40d899c8af8010434c6ad7cea
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeL:R4wFHoSHYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5012-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1968-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/712-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2928-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-645-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-1301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-1370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3520 xrrlxfx.exe 3860 ntnbtb.exe 868 jdvpp.exe 1360 lxrlffx.exe 3448 jvpdv.exe 1228 hnhbtn.exe 1956 rxrlfxl.exe 3720 hhbtth.exe 464 rxxrlfx.exe 3932 nhtntn.exe 3564 dvvpd.exe 1424 frfxlfx.exe 860 rfxxrxr.exe 5004 bhnnhb.exe 1076 xxlfrlf.exe 2704 nbtnht.exe 3196 ppdpv.exe 4764 hnbtnn.exe 3960 djjdd.exe 2492 9fllfff.exe 3544 9xrlffx.exe 4464 hhbbbh.exe 972 jddvd.exe 4004 rflflff.exe 2924 hthbhh.exe 2236 bttnnn.exe 3620 xxrrlrl.exe 4928 vjjvj.exe 5084 lflrrxx.exe 4260 tntnbh.exe 3824 lrrrrrr.exe 924 hthbbh.exe 4516 vvpjj.exe 4820 xrlffxf.exe 4340 7hhbtt.exe 4544 9ddvp.exe 4316 xrrrllf.exe 1680 btbhtn.exe 4492 vppjp.exe 1816 xlrrrrr.exe 3340 5bhbhn.exe 1716 jdjjp.exe 1456 llffxxr.exe 532 tbnhbn.exe 4440 vdjjd.exe 3472 lfllffx.exe 1968 tbbbtt.exe 712 dpvpp.exe 5020 dvvpj.exe 1884 xrrlllf.exe 3036 3ntntt.exe 3612 vvppv.exe 4224 dvvjd.exe 456 frrxxxx.exe 2972 3ffxxxx.exe 692 nhbbtb.exe 4376 vvvdv.exe 1408 5vjdj.exe 5012 fxrrlll.exe 1728 3llrrrr.exe 1308 hnbhbn.exe 4756 vppdv.exe 4064 vjjdp.exe 4908 fflrxfl.exe -
resource yara_rule behavioral2/memory/5012-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c9a-3.dat upx behavioral2/memory/5012-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9e-8.dat upx behavioral2/memory/3860-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-15.dat upx behavioral2/memory/868-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-19.dat upx behavioral2/memory/3520-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1360-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3448-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-24.dat upx behavioral2/files/0x0007000000023ca6-29.dat upx behavioral2/memory/1228-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-33.dat upx behavioral2/files/0x0007000000023ca8-38.dat upx behavioral2/memory/1956-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3720-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-43.dat upx behavioral2/files/0x0007000000023caa-48.dat upx behavioral2/memory/3932-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/464-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-54.dat upx behavioral2/memory/3564-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-61.dat upx behavioral2/memory/1424-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3932-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-65.dat upx behavioral2/memory/1424-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-70.dat upx behavioral2/memory/5004-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-75.dat upx behavioral2/files/0x0008000000023c9f-80.dat upx behavioral2/memory/1076-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-84.dat upx behavioral2/memory/2704-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3196-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-91.dat upx behavioral2/files/0x0007000000023cb3-95.dat upx behavioral2/memory/3960-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-100.dat upx behavioral2/memory/4764-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2492-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-111.dat upx behavioral2/files/0x0007000000023cb7-114.dat upx behavioral2/memory/4004-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-119.dat upx behavioral2/memory/3544-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-106.dat upx behavioral2/files/0x0007000000023cb9-123.dat upx behavioral2/memory/2924-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-128.dat upx behavioral2/memory/2236-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-133.dat upx behavioral2/files/0x0007000000023cbc-137.dat upx behavioral2/memory/4928-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-142.dat upx behavioral2/memory/5084-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-146.dat upx behavioral2/files/0x0007000000023cbf-152.dat upx behavioral2/memory/4260-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-156.dat upx behavioral2/memory/4544-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4492-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 3520 5012 c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe 83 PID 5012 wrote to memory of 3520 5012 c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe 83 PID 5012 wrote to memory of 3520 5012 c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe 83 PID 3520 wrote to memory of 3860 3520 xrrlxfx.exe 84 PID 3520 wrote to memory of 3860 3520 xrrlxfx.exe 84 PID 3520 wrote to memory of 3860 3520 xrrlxfx.exe 84 PID 3860 wrote to memory of 868 3860 ntnbtb.exe 85 PID 3860 wrote to memory of 868 3860 ntnbtb.exe 85 PID 3860 wrote to memory of 868 3860 ntnbtb.exe 85 PID 868 wrote to memory of 1360 868 jdvpp.exe 86 PID 868 wrote to memory of 1360 868 jdvpp.exe 86 PID 868 wrote to memory of 1360 868 jdvpp.exe 86 PID 1360 wrote to memory of 3448 1360 lxrlffx.exe 87 PID 1360 wrote to memory of 3448 1360 lxrlffx.exe 87 PID 1360 wrote to memory of 3448 1360 lxrlffx.exe 87 PID 3448 wrote to memory of 1228 3448 jvpdv.exe 88 PID 3448 wrote to memory of 1228 3448 jvpdv.exe 88 PID 3448 wrote to memory of 1228 3448 jvpdv.exe 88 PID 1228 wrote to memory of 1956 1228 hnhbtn.exe 89 PID 1228 wrote to memory of 1956 1228 hnhbtn.exe 89 PID 1228 wrote to memory of 1956 1228 hnhbtn.exe 89 PID 1956 wrote to memory of 3720 1956 rxrlfxl.exe 90 PID 1956 wrote to memory of 3720 1956 rxrlfxl.exe 90 PID 1956 wrote to memory of 3720 1956 rxrlfxl.exe 90 PID 3720 wrote to memory of 464 3720 hhbtth.exe 91 PID 3720 wrote to memory of 464 3720 hhbtth.exe 91 PID 3720 wrote to memory of 464 3720 hhbtth.exe 91 PID 464 wrote to memory of 3932 464 rxxrlfx.exe 92 PID 464 wrote to memory of 3932 464 rxxrlfx.exe 92 PID 464 wrote to memory of 3932 464 rxxrlfx.exe 92 PID 3932 wrote to memory of 3564 3932 nhtntn.exe 93 PID 3932 wrote to memory of 3564 3932 nhtntn.exe 93 PID 3932 wrote to memory of 3564 3932 nhtntn.exe 93 PID 3564 wrote to memory of 1424 3564 dvvpd.exe 94 PID 3564 wrote to memory of 1424 3564 dvvpd.exe 94 PID 3564 wrote to memory of 1424 3564 dvvpd.exe 94 PID 1424 wrote to memory of 860 1424 frfxlfx.exe 95 PID 1424 wrote to memory of 860 1424 frfxlfx.exe 95 PID 1424 wrote to memory of 860 1424 frfxlfx.exe 95 PID 860 wrote to memory of 5004 860 rfxxrxr.exe 96 PID 860 wrote to memory of 5004 860 rfxxrxr.exe 96 PID 860 wrote to memory of 5004 860 rfxxrxr.exe 96 PID 5004 wrote to memory of 1076 5004 bhnnhb.exe 97 PID 5004 wrote to memory of 1076 5004 bhnnhb.exe 97 PID 5004 wrote to memory of 1076 5004 bhnnhb.exe 97 PID 1076 wrote to memory of 2704 1076 xxlfrlf.exe 98 PID 1076 wrote to memory of 2704 1076 xxlfrlf.exe 98 PID 1076 wrote to memory of 2704 1076 xxlfrlf.exe 98 PID 2704 wrote to memory of 3196 2704 nbtnht.exe 99 PID 2704 wrote to memory of 3196 2704 nbtnht.exe 99 PID 2704 wrote to memory of 3196 2704 nbtnht.exe 99 PID 3196 wrote to memory of 4764 3196 ppdpv.exe 100 PID 3196 wrote to memory of 4764 3196 ppdpv.exe 100 PID 3196 wrote to memory of 4764 3196 ppdpv.exe 100 PID 4764 wrote to memory of 3960 4764 hnbtnn.exe 101 PID 4764 wrote to memory of 3960 4764 hnbtnn.exe 101 PID 4764 wrote to memory of 3960 4764 hnbtnn.exe 101 PID 3960 wrote to memory of 2492 3960 djjdd.exe 102 PID 3960 wrote to memory of 2492 3960 djjdd.exe 102 PID 3960 wrote to memory of 2492 3960 djjdd.exe 102 PID 2492 wrote to memory of 3544 2492 9fllfff.exe 103 PID 2492 wrote to memory of 3544 2492 9fllfff.exe 103 PID 2492 wrote to memory of 3544 2492 9fllfff.exe 103 PID 3544 wrote to memory of 4464 3544 9xrlffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe"C:\Users\Admin\AppData\Local\Temp\c06398649373f36e3dd1aae89f3532ff87e74b989a52eb2e52ab4e63a2588c83.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\xrrlxfx.exec:\xrrlxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\ntnbtb.exec:\ntnbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\jdvpp.exec:\jdvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\lxrlffx.exec:\lxrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\jvpdv.exec:\jvpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\hnhbtn.exec:\hnhbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\rxrlfxl.exec:\rxrlfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\hhbtth.exec:\hhbtth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\nhtntn.exec:\nhtntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\dvvpd.exec:\dvvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\frfxlfx.exec:\frfxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\rfxxrxr.exec:\rfxxrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\bhnnhb.exec:\bhnnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\xxlfrlf.exec:\xxlfrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\nbtnht.exec:\nbtnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\ppdpv.exec:\ppdpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\hnbtnn.exec:\hnbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\djjdd.exec:\djjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\9fllfff.exec:\9fllfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\9xrlffx.exec:\9xrlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\hhbbbh.exec:\hhbbbh.exe23⤵
- Executes dropped EXE
PID:4464 -
\??\c:\jddvd.exec:\jddvd.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\rflflff.exec:\rflflff.exe25⤵
- Executes dropped EXE
PID:4004 -
\??\c:\hthbhh.exec:\hthbhh.exe26⤵
- Executes dropped EXE
PID:2924 -
\??\c:\bttnnn.exec:\bttnnn.exe27⤵
- Executes dropped EXE
PID:2236 -
\??\c:\xxrrlrl.exec:\xxrrlrl.exe28⤵
- Executes dropped EXE
PID:3620 -
\??\c:\vjjvj.exec:\vjjvj.exe29⤵
- Executes dropped EXE
PID:4928 -
\??\c:\lflrrxx.exec:\lflrrxx.exe30⤵
- Executes dropped EXE
PID:5084 -
\??\c:\tntnbh.exec:\tntnbh.exe31⤵
- Executes dropped EXE
PID:4260 -
\??\c:\lrrrrrr.exec:\lrrrrrr.exe32⤵
- Executes dropped EXE
PID:3824 -
\??\c:\hthbbh.exec:\hthbbh.exe33⤵
- Executes dropped EXE
PID:924 -
\??\c:\vvpjj.exec:\vvpjj.exe34⤵
- Executes dropped EXE
PID:4516 -
\??\c:\xrlffxf.exec:\xrlffxf.exe35⤵
- Executes dropped EXE
PID:4820 -
\??\c:\7hhbtt.exec:\7hhbtt.exe36⤵
- Executes dropped EXE
PID:4340 -
\??\c:\9ddvp.exec:\9ddvp.exe37⤵
- Executes dropped EXE
PID:4544 -
\??\c:\xrrrllf.exec:\xrrrllf.exe38⤵
- Executes dropped EXE
PID:4316 -
\??\c:\btbhtn.exec:\btbhtn.exe39⤵
- Executes dropped EXE
PID:1680 -
\??\c:\vppjp.exec:\vppjp.exe40⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe41⤵
- Executes dropped EXE
PID:1816 -
\??\c:\5bhbhn.exec:\5bhbhn.exe42⤵
- Executes dropped EXE
PID:3340 -
\??\c:\jdjjp.exec:\jdjjp.exe43⤵
- Executes dropped EXE
PID:1716 -
\??\c:\llffxxr.exec:\llffxxr.exe44⤵
- Executes dropped EXE
PID:1456 -
\??\c:\tbnhbn.exec:\tbnhbn.exe45⤵
- Executes dropped EXE
PID:532 -
\??\c:\vdjjd.exec:\vdjjd.exe46⤵
- Executes dropped EXE
PID:4440 -
\??\c:\lfllffx.exec:\lfllffx.exe47⤵
- Executes dropped EXE
PID:3472 -
\??\c:\tbbbtt.exec:\tbbbtt.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\dpvpp.exec:\dpvpp.exe49⤵
- Executes dropped EXE
PID:712 -
\??\c:\dvvpj.exec:\dvvpj.exe50⤵
- Executes dropped EXE
PID:5020 -
\??\c:\xrrlllf.exec:\xrrlllf.exe51⤵
- Executes dropped EXE
PID:1884 -
\??\c:\3ntntt.exec:\3ntntt.exe52⤵
- Executes dropped EXE
PID:3036 -
\??\c:\vvppv.exec:\vvppv.exe53⤵
- Executes dropped EXE
PID:3612 -
\??\c:\dvvjd.exec:\dvvjd.exe54⤵
- Executes dropped EXE
PID:4224 -
\??\c:\frrxxxx.exec:\frrxxxx.exe55⤵
- Executes dropped EXE
PID:456 -
\??\c:\3ffxxxx.exec:\3ffxxxx.exe56⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nhbbtb.exec:\nhbbtb.exe57⤵
- Executes dropped EXE
PID:692 -
\??\c:\vvvdv.exec:\vvvdv.exe58⤵
- Executes dropped EXE
PID:4376 -
\??\c:\5vjdj.exec:\5vjdj.exe59⤵
- Executes dropped EXE
PID:1408 -
\??\c:\fxrrlll.exec:\fxrrlll.exe60⤵
- Executes dropped EXE
PID:5012 -
\??\c:\3llrrrr.exec:\3llrrrr.exe61⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hnbhbn.exec:\hnbhbn.exe62⤵
- Executes dropped EXE
PID:1308 -
\??\c:\vppdv.exec:\vppdv.exe63⤵
- Executes dropped EXE
PID:4756 -
\??\c:\vjjdp.exec:\vjjdp.exe64⤵
- Executes dropped EXE
PID:4064 -
\??\c:\fflrxfl.exec:\fflrxfl.exe65⤵
- Executes dropped EXE
PID:4908 -
\??\c:\hbtnnh.exec:\hbtnnh.exe66⤵PID:4292
-
\??\c:\ddpjd.exec:\ddpjd.exe67⤵PID:1916
-
\??\c:\pdpjd.exec:\pdpjd.exe68⤵PID:3780
-
\??\c:\frfxrrr.exec:\frfxrrr.exe69⤵PID:4816
-
\??\c:\rffffff.exec:\rffffff.exe70⤵PID:2616
-
\??\c:\bttntt.exec:\bttntt.exe71⤵PID:4408
-
\??\c:\tbhhnt.exec:\tbhhnt.exe72⤵PID:3536
-
\??\c:\jvdvv.exec:\jvdvv.exe73⤵PID:2252
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe74⤵PID:3084
-
\??\c:\xlrxxff.exec:\xlrxxff.exe75⤵PID:676
-
\??\c:\thbbtt.exec:\thbbtt.exe76⤵PID:2224
-
\??\c:\vpdvv.exec:\vpdvv.exe77⤵PID:3420
-
\??\c:\xfrrlrl.exec:\xfrrlrl.exe78⤵PID:2556
-
\??\c:\rllllfl.exec:\rllllfl.exe79⤵PID:4216
-
\??\c:\tbhtnb.exec:\tbhtnb.exe80⤵PID:4044
-
\??\c:\9pjdd.exec:\9pjdd.exe81⤵PID:4628
-
\??\c:\dpppd.exec:\dpppd.exe82⤵PID:4512
-
\??\c:\lllfxxx.exec:\lllfxxx.exe83⤵PID:1712
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe84⤵PID:4504
-
\??\c:\bhtnhb.exec:\bhtnhb.exe85⤵PID:4660
-
\??\c:\jvjpd.exec:\jvjpd.exe86⤵PID:2820
-
\??\c:\vjvpp.exec:\vjvpp.exe87⤵PID:3460
-
\??\c:\fxllrff.exec:\fxllrff.exe88⤵PID:2308
-
\??\c:\nhnnnn.exec:\nhnnnn.exe89⤵PID:2264
-
\??\c:\pjjdv.exec:\pjjdv.exe90⤵PID:4464
-
\??\c:\vppdd.exec:\vppdd.exe91⤵PID:2404
-
\??\c:\fxlfllf.exec:\fxlfllf.exe92⤵PID:972
-
\??\c:\7tnhhh.exec:\7tnhhh.exe93⤵PID:1444
-
\??\c:\nhhbtt.exec:\nhhbtt.exe94⤵PID:3928
-
\??\c:\dpvvd.exec:\dpvvd.exe95⤵PID:540
-
\??\c:\7vdvd.exec:\7vdvd.exe96⤵PID:876
-
\??\c:\fxxrrfx.exec:\fxxrrfx.exe97⤵PID:4840
-
\??\c:\hbbbtt.exec:\hbbbtt.exe98⤵PID:1568
-
\??\c:\jdjjp.exec:\jdjjp.exe99⤵PID:996
-
\??\c:\jdjjd.exec:\jdjjd.exe100⤵PID:4520
-
\??\c:\ffrlxxr.exec:\ffrlxxr.exe101⤵PID:880
-
\??\c:\htbbbb.exec:\htbbbb.exe102⤵PID:3452
-
\??\c:\bthbhn.exec:\bthbhn.exe103⤵PID:2676
-
\??\c:\7ppjd.exec:\7ppjd.exe104⤵PID:924
-
\??\c:\jjdvv.exec:\jjdvv.exe105⤵PID:4436
-
\??\c:\rxlfxfr.exec:\rxlfxfr.exe106⤵PID:1624
-
\??\c:\bhnnhh.exec:\bhnnhh.exe107⤵PID:436
-
\??\c:\hntnnn.exec:\hntnnn.exe108⤵PID:4544
-
\??\c:\jvvvv.exec:\jvvvv.exe109⤵PID:4316
-
\??\c:\lxfxrll.exec:\lxfxrll.exe110⤵PID:1800
-
\??\c:\nhntbb.exec:\nhntbb.exe111⤵PID:2276
-
\??\c:\tnbbnn.exec:\tnbbnn.exe112⤵PID:2180
-
\??\c:\vpvvp.exec:\vpvvp.exe113⤵PID:1860
-
\??\c:\frrrffx.exec:\frrrffx.exe114⤵PID:1396
-
\??\c:\1nnthb.exec:\1nnthb.exe115⤵PID:752
-
\??\c:\5bhbnn.exec:\5bhbnn.exe116⤵PID:2772
-
\??\c:\ddddv.exec:\ddddv.exe117⤵PID:3496
-
\??\c:\pjppj.exec:\pjppj.exe118⤵PID:4440
-
\??\c:\fxllrxf.exec:\fxllrxf.exe119⤵PID:2608
-
\??\c:\hbtnhb.exec:\hbtnhb.exe120⤵PID:1692
-
\??\c:\pjjpj.exec:\pjjpj.exe121⤵PID:1696
-
\??\c:\7pvdv.exec:\7pvdv.exe122⤵PID:5020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-